#1122863 biosig: CVE-2025-66047 CVE-2025-66045 CVE-2025-66044 CVE-2025-66048 CVE-2025-66043 CVE-2025-66046 #1122863
- Package:
- src:biosig
- Source:
- src:biosig
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-04-26 09:23:03 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerabilities were published for biosig. Filling this as RC level as it should be fixed for forky. CVE-2025-66047[0]: | Several stack-based buffer overflow vulnerabilities exists in the | MFER parsing functionality of The Biosig Project libbiosig 3.9.1. A | specially crafted MFER file can lead to arbitrary code execution. An | attacker can provide a malicious file to trigger these | vulnerabilities.When Tag is 131 CVE-2025-66045[1]: | Several stack-based buffer overflow vulnerabilities exists in the | MFER parsing functionality of The Biosig Project libbiosig 3.9.1. A | specially crafted MFER file can lead to arbitrary code execution. An | attacker can provide a malicious file to trigger these | vulnerabilities.When Tag is 65 CVE-2025-66044[2]: | Several stack-based buffer overflow vulnerabilities exists in the | MFER parsing functionality of The Biosig Project libbiosig 3.9.1. A | specially crafted MFER file can lead to arbitrary code execution. An | attacker can provide a malicious file to trigger these | vulnerabilities.When Tag is 64 CVE-2025-66048[3]: | Several stack-based buffer overflow vulnerabilities exists in the | MFER parsing functionality of The Biosig Project libbiosig 3.9.1. A | specially crafted MFER file can lead to arbitrary code execution. An | attacker can provide a malicious file to trigger these | vulnerabilities.When Tag is 133 CVE-2025-66043[4]: | Several stack-based buffer overflow vulnerabilities exists in the | MFER parsing functionality of The Biosig Project libbiosig 3.9.1. A | specially crafted MFER file can lead to arbitrary code execution. An | attacker can provide a malicious file to trigger these | vulnerabilities.When Tag is 3 CVE-2025-66046[5]: | Several stack-based buffer overflow vulnerabilities exists in the | MFER parsing functionality of The Biosig Project libbiosig 3.9.1. A | specially crafted MFER file can lead to arbitrary code execution. An | attacker can provide a malicious file to trigger these | vulnerabilities.When Tag is 67 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-66047 https://www.cve.org/CVERecord?id=CVE-2025-66047 [1] https://security-tracker.debian.org/tracker/CVE-2025-66045 https://www.cve.org/CVERecord?id=CVE-2025-66045 [2] https://security-tracker.debian.org/tracker/CVE-2025-66044 https://www.cve.org/CVERecord?id=CVE-2025-66044 [3] https://security-tracker.debian.org/tracker/CVE-2025-66048 https://www.cve.org/CVERecord?id=CVE-2025-66048 [4] https://security-tracker.debian.org/tracker/CVE-2025-66043 https://www.cve.org/CVERecord?id=CVE-2025-66043 [5] https://security-tracker.debian.org/tracker/CVE-2025-66046 https://www.cve.org/CVERecord?id=CVE-2025-66046 [6] https://sourceforge.net/p/biosig/mailman/message/59271419/ [7] https://talosintelligence.com/vulnerability_reports/TALOS-2025-2296 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
These bugs have been addressed in biosig 3.9.2 :
CVE-2025-66047,CVE-2025-66045,CVE-2025-66044,CVE-2025-66048,CVE-2025-66043,CVE-2025-66046
(there were already reported with different CVE numbers against an
earlier version of biosig).
Moreover, the following vulnerabilities have been fixed in biosig 3.9.3
CVE-2026-20777 (i.e. TALOS-2026-2362)
CVE-2026-22891 (i.e. TALOS-2026-2361)
CVE-2025-64736 (i.e. TALOS-2025-2323)
Best,
Alois
Hi Alois, Am Mon, Feb 16, 2026 at 10:59:36PM +0100 schrieb Alois Schlögl: Thank you for this. Unfortunately as you can read in this bug report https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124146 the package does not build (actually since version 3.9.1!) You can see a full build log at https://salsa.debian.org/med-team/biosig/-/jobs/9065470 Any clue how to get this building? Kind regards Andreas.
I checked yesterday that adding python3.13-venv and python3.14-venv to build-depends makes the build error to be different (speaking about bug #1124146). [ I guess this happens because python3-venv is only for the default python version, but the package uses all available python versions ]. (Sorry not have the complete solution, but I think you should try that at the very minimum). Thanks.
We believe that the bug you reported is fixed in the latest version of
biosig, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1122863@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Tille <tille@debian.org> (supplier of updated biosig package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 26 Apr 2026 10:35:51 +0200
Source: biosig
Architecture: source
Version: 3.9.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Andreas Tille <tille@debian.org>
Closes: 1112133 1122863 1124146 1130889
Changes:
biosig (3.9.5-1) unstable; urgency=medium
.
* Team upload.
.
[ Andreas Tille ]
* New upstream version
Closes: #1112133, #1122863, #1130889
* d/watch: version=5
* New upstream version
* Fix clean target
* Remove Priority field to comply with Debian Policy 4.7.3 (routine-
update)
* Standards-Version: 4.7.4 (routine-update)
* debputy lint --auto-fix (routine-update)
* use pybuild
.
[ Santiago Vila ]
* Build-Depends: python3-venv, python3-build
Closes: #1124146
Checksums-Sha1:
42c2990f5a1bb123d03a9f8030a518279d7ab3ca 2514 biosig_3.9.5-1.dsc
6281a49a1dba58ee66fcbbd3e9d7c1b74188af40 1900140 biosig_3.9.5.orig.tar.xz
9b9d2a69d8ddc3f849b8d66c7bb826824796eddd 15200 biosig_3.9.5-1.debian.tar.xz
1c689d37cbb1b7ecf60d027311ef5fd1d1b8e381 27506 biosig_3.9.5-1_amd64.buildinfo
Checksums-Sha256:
edfbdbc298f24287e1a3e05f0f7dbeccf91708dbd02319dffcf6b9c02cc5e02e 2514 biosig_3.9.5-1.dsc
dfdb7aec5ac9681f25e3c186a5b356d5ec86cda87cdcb034d38e838f875cc3f1 1900140 biosig_3.9.5.orig.tar.xz
fe8bfa68949d28719507c328b6178a4154b0a0c849640c34c14d926ae1c44e2f 15200 biosig_3.9.5-1.debian.tar.xz
6af355783328483db28cee9434c90fcc0e792f486431572e36573946552492ad 27506 biosig_3.9.5-1_amd64.buildinfo
Files:
1dea0c06068ed57f79b8653b1b6cef6e 2514 science optional biosig_3.9.5-1.dsc
5cf2c7de4b91753f305a4f46aa44cc60 1900140 science optional biosig_3.9.5.orig.tar.xz
19ce93966f283ba876f5f7bbfec17960 15200 science optional biosig_3.9.5-1.debian.tar.xz
bacf2e711454ccb9f667dd6da15d426c 27506 science optional biosig_3.9.5-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmnt01IRHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtGYWw/+Puek+tP6Sm4zDrSIqmCjC5r7YWjQMkZ6
aIVgkvaHuztIol8HuwLebG+9HxIJy3OGZ3hPHan/ppCqJwZSMz3CwZhyb2oF42WA
IGdjZWCPGrA7Z/mXgMy2UCAuG5ZT2rM22DSfMpterwQgFoOO1ST9l/Or8/+sf912
b3zh3fvWumvppNfmjmrymRNiLhaHEsJ2oNBkTbhQnQaWABdytpTcNR5WoGKQrvA4
r7LT1n5+E1PIJgwcFHBs7ozHOd2vhhnUgLARFmMZhFXhLUZ2U1X8mBrBHaycP/RP
+3tS80iHhT6ojHa+aRy8aTak+FOYLxNDAiUjno0PwBX9mZR5YCWtdQpLouYuR16E
o8iVQqEHgffe0Yi10TCQ1UI1oBdjpuc9x4EgzjiI3I/mnfLlZ4CDMUvDuS4u4dlC
JQ0So4aKX4RxunJxmu3qTuWZ8+9H7uhjMg/dxHlzUSV1LRW/lP/fY74ZCroBbTHM
lpZoT/RI9yUXMPy6KJOKXiLUAtSjKLkGAIPlytHiPcpzUtRAn6D2YJr25v5jfqlf
KbCrWQDMXevA3Onqj4yd1rsy/+861v+YJBpD/BldPzSjKP9HS7kMVVYD66GpCP7q
yJZXC2/awDOY4+aK5LWgk6QHR0dpTsiHbjOZpxM/2RdKsTVEH80WjCAuuy3A3j+z
cFuRnxUzato=
=q/BZ
-----END PGP SIGNATURE-----